Privacy Policy

1. Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) is:
ybrand.io
Danilo Abreu Ott
Turmstraße 59
72351 Geislingen
Germany
[email protected]

2. Data Collection and Processing

We process personal data (e.g., name, email address, IP address) only as necessary for the provision and operation of our SaaS platform.
Authentication data is processed via Auth0. Server hosting is provided by Digital Ocean; data is stored in MongoDB. Uploaded files (such as images, logos, and other assets) are stored on Google Cloud.
We use Hotjar and Google Tag Manager for analytics and tag management purposes.

3. Legal Basis

Data processing is based on Art. 6(1)(b) GDPR (contract performance) and, where applicable, Art. 6(1)(f) GDPR (legitimate interests in secure and efficient operation of the service). For analytics and marketing tools (Hotjar, Google Tag Manager), we rely on your consent in accordance with Art. 6(1)(a) GDPR.

4. Use of Third Parties

  • Authentication: Auth0, Inc.
  • Hosting: Digital Ocean, LLC
  • Database: MongoDB, Inc.
  • File Storage: Google Cloud Platform (Google Ireland Limited and/or Google LLC)
  • Analytics: Hotjar Ltd.
  • Tag Management: Google Tag Manager (Google Ireland Limited and/or Google LLC)

Some of these providers may process data outside the EU/EEA. We ensure that appropriate safeguards (such as Standard Contractual Clauses) are in place for any data transfers to third countries.

5. Analytics and Tracking Tools

  • Hotjar: We use Hotjar to better understand our users’ needs and to optimize our service. Hotjar uses cookies and other technologies to collect data on user behavior and devices. The information is anonymized and stored by Hotjar in a pseudonymized user profile. For more information, see Hotjar's privacy policy.
  • Google Tag Manager: We use Google Tag Manager to manage website tags. Google Tag Manager itself does not process personal data, but it may trigger other tags that do. For more information, see Google's privacy policy.

You can manage your consent for analytics and tracking tools via our cookie banner or settings.

6. Data Retention and Deletion

User data is retained for the duration of the contract. After termination and expiry of the 30-day grace period, all data (including Brand Guides and uploaded files) will be deleted.
Users can request deletion of their account and data at any time by contacting [email protected].

7. Data Subject Rights

  • Right of access (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR)
  • Right to erasure (Art. 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to object (Art. 21 GDPR)
  • Right to withdraw consent (Art. 7(3) GDPR)
  • Right to lodge a complaint with a supervisory authority

8. Security

We implement appropriate technical and organizational measures to protect your data against unauthorized access, loss, or misuse. Data is encrypted in transit and at rest where possible.

9. Updates

We reserve the right to update this Privacy Policy to reflect changes in legal requirements or our processing activities. The current version is always available on our website.